fix error response error csrf invalid

Author: khanh2906

README.md

@@ -154,7 +154,7 @@ app.use(csrf.generate({
 
 - Default errorResponse is
 ```javascript
-errorResponse: (req, res) => {
+errorResponse: (req, res, next) => {
   res.status(403).send('CSRF token invalid');
 }
 ```
@@ -163,7 +163,7 @@ errorResponse: (req, res) => {
 
 ```javascript
 // when you custom
-const newErrorResponse = (req, res) => {
+const newErrorResponse = (req, res, next) => {
   res.status(403).render('<h1>CSRF token invalid</h1>');
 }
 app.use(csrf.generate({

lib/cjs/index.js

@@ -84,7 +84,7 @@ let csrf = {
 	getTransmitToken: (req) => {
 		return req.body._csrf || req.headers['csrf-token'];
 	},
-	errorResponse: (req, res) => {
+	errorResponse: (req, res, next) => {
 		res.status(403).send('CSRF token invalid');
 	}
 }
@@ -123,6 +123,7 @@ module.exports = {
 							res.cookie(csrf.param, token, csrf.storage.options);
 							break;
 					}
+					req.currentCsrfToken = token
 				}
 				next();
 			} catch (error) {
@@ -139,7 +140,7 @@ module.exports = {
 	 * @param {function} next
 	 */
 	setTokenLocalsParam: (req, res, next) => {
-		res.locals[csrf.value] = csrf.getToken(req)
+		res.locals[csrf.value] = csrf.getToken(req) || req.currentCsrfToken
 		next();
 	},
 	/**
@@ -155,7 +156,7 @@ module.exports = {
 				const token = csrf.getTransmitToken(req);
 
 				if (!token || token !== csrf.getToken(req)) {
-					return csrf.errorResponse(req, res)
+					return csrf.errorResponse(req, res, next)
 				} else {
 					console.info("DELETE CSRF TOKEN: ", token)
 					csrf.clearToken(req, res)

lib/esm/index.js

@@ -84,7 +84,7 @@ let csrf = {
 	getTransmitToken: (req) => {
 		return req.body._csrf || req.headers['csrf-token'];
 	},
-	errorResponse: (req, res) => {
+	errorResponse: (req, res, next) => {
 		res.status(403).send('CSRF token invalid');
 	}
 }
@@ -121,6 +121,7 @@ const generate = (csrfConfig = {
 						res.cookie(csrf.param, token, csrf.storage.options);
 						break;
 				}
+				req.currentCsrfToken = token
 			}
 			next();
 		} catch (error) {
@@ -138,7 +139,7 @@ const generate = (csrfConfig = {
  * @param {function} next
  */
 const setTokenLocalsParam = (req, res, next) => {
-	res.locals[csrf.value] = csrf.getToken(req)
+	res.locals[csrf.value] = csrf.getToken(req) || req.currentCsrfToken
 	next();
 }
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@knfs-tech/csrf",
-  "version": "1.0.2",
+  "version": "1.0.3",
   "description": "Cross-site request forgery module",
   "main": "./lib/cjs/index.js",
   "module": "./lib/esm/index.js",

tests/e2e/csrf.spec.js

@@ -37,7 +37,11 @@ app.post("/test-endpoint", csrfMiddleware.protect, (req, res) => {
 	res.status(200).send("CSRF token valid");
 });
 
-app.get("/",  (req, res) => {
+app.get("/redirect",  (req, res) => {
+	res.redirect('/');
+});
+
+app.get("/", (req, res) => {
 	res.status(200).send("OK");
 });
 

tests/units/csrf.spec.js

@@ -50,7 +50,6 @@ describe('CSRF Middleware', () => {
 			req.session._csrf = 'testToken';
 
 			csrfMiddleware.setTokenLocalsParam(req, res, next);
-
 			expect(res.locals.csrfToken).toEqual('testToken');
 			expect(next).toHaveBeenCalled();
 		});